The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Flaw with email in cpanel?

Discussion in 'Security' started by Secmas, Apr 8, 2010.

  1. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Why an email sent from an authenticated smtp could be delivered using a header that is not the same as the account that authenticated the deliver?

    Is not that a security flaw?

    I have the following scenario... a customer is reporting that using a php script he could send emails with headers saying that the FROM email address could be anything, even yahoo or gmail accounts.

    I have checked and is right, you can do that. Also, you can use Outlook Express, Outlook or ThunderBird and you can set the from address to also completly different to what is set on the SMTP.

    So, you could send an email to all your colleagues impersonating your boss telling that this Friday is a payed day off... do you know what will happens...

    Ok, I know that if you check in the headers of the email you will discover that the FROM is different as to the SMTP account, but... Who is checking headers on any email? Does a regular person knows how to check on this? I don't think so.

    So, my question is, is there a way to make EXIM to check if the sender is the same as the from address?
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    This is not a "security issue" and it is perfectly normal to set any FROM headers you wish not just on Cpanel system but any email system in the world and this is standard practice for every spammer out there as I have yet to see one that actually used their own "FROM" headers.

    I can very easily say I'm anyone I wish in my headers from any email system --- not just Cpanel (Exim) --- but if I am not a valid sender for who I claim to be, my messages are going to be trashed because the vast majority of email servers use mail verification technologies of some sort to confirm that the sending server is indeed authorized to be sending mail for the domain in question. Standard address verifications, SPF, and Domain
    Keys are just a few of these types of technologies meant to do just this.

    Anyone can set whatever headers they wish on any email anywhere. The real question however is if the mail server allows you to send without properly authenticating (IE: open relay) and is your mail server authorized to send for the domain you claim to be?
     
  3. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Thank you Spiral for your answer.

    Well, my servers are hardened and are protected to not be open relays, the problem is that I don't want a real user to send emails pretending he is someone else, I want to be sure that the account that has authenticated the smtp is the real "from". Do you think is it hard to accomplish?

    Right now I have seen that Goddady email servers are doing a great job protecting this, as if you want to send an email with a "from" different than the authenticated, then the email is not delivered.

    Regards,

    Sergio
     
  4. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    @ Spiral...
    want to send you a PM but it seems that your PM INBOX is full.

    Regards,

    Sergio
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I received the alerts this morning on your 3 bounced private messages ....

    Sorry about that ---

    I was offline with a really nasty flu over the weekend and wasn't checking my private messages any at all.
     
  6. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Hope you get better.

    Thanks for replying.

    Regards,
    Sergio
     
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    cPanel is not an MTA -- Consider tweaking the Exim MTA (mail server) configuration

    The described behavior is not a security flaw in cPanel; additionally, cPanel is not a mail transport agent (MTA), thus, it is unrelated to e-mail in cPanel; however, cPanel and WHM offers tools to tweak your system configuration, allowing you to counteract the undesirable mail usage by ensuring the Sender header is always set for outbound messages sent through your local MTA, such as Exim.

    Please see the following thread in the Mail forums for more verbose instruction: Spoofing Mail From My Server - cPanel Forums
     
    #7 cPanelDon, Apr 14, 2010
    Last edited: Apr 14, 2010
Loading...

Share This Page